[KAFKA-13202] KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.1.0
Component/s: clients, security
Labels:
- OAuth

Description

This task is to provide a concrete implementation of the interfaces defined in KIP-255 to allow Kafka to connect to an OAuth / OIDC identity provider for authentication and token retrieval. While KIP-255 provides an unsecured JWT example for development, this will fill in the gap and provide a production-grade implementation.

The OAuth/OIDC work will allow out-of-the-box configuration by any Apache Kafka users to connect to an external identity provider service (e.g. Okta, Auth0, Azure, etc.). The code will implement the standard OAuth clientcredentials grant type.

The proposed change is largely composed of a pair of AuthenticateCallbackHandler implementations: one to login on the client and one to validate on the broker.

See KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC for more detail.

Attachments

Issue Links

links to

GitHub Pull Request #11284

Activity

People

Assignee:: Kirk True

Reporter:: Kirk True

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13/Aug/21 19:47

Updated:: 29/Jun/23 21:07

Resolved:: 28/Oct/21 18:38